Home Azure Virtual Machines Connect to VM via SSH
Last updated: May 2026
Azure Virtual Machines Beginner AZ-104 ⏱ 14 min read

Connect to Azure VM via SSH

SSH (Secure Shell) is the standard way to connect to Linux VMs. It's a secure, encrypted terminal session — everything you type and see is encrypted end-to-end. This page covers connecting from any platform, understanding key-based authentication, setting up SSH config for easier connections, troubleshooting common issues, and using Azure Bastion as a portal-based alternative.

What you'll learn SSH from Windows, Mac, and Linux · Key-based vs password authentication · SSH config file for easier connections · Port forwarding · Troubleshooting connection failures · Azure Bastion — SSH without opening port 22 · Copying files with SCP
Table of Contents
  1. How SSH Works
  2. Before You Connect
  3. Connect from Mac or Linux
  4. Connect from Windows
  5. SSH Config File — Simplify Connections
  6. SSH Port Forwarding
  7. Copy Files with SCP
  8. Azure Bastion — No Port 22 Needed
  9. Troubleshooting SSH Issues
  10. Practice Questions

How SSH Works

SSH creates an encrypted tunnel between your machine and the VM. Here's what happens when you run ssh azureuser@4.188.23.45:

  1. Your SSH client connects to port 22 on the VM's public IP
  2. The server sends its host key fingerprint — you verify it once on first connection
  3. Your client proves your identity using your private key (or password)
  4. An encrypted channel is established — everything is encrypted from this point
  5. You get an interactive terminal prompt on the remote VM
ℹ️
Key-based Authentication Flow The VM has your public key in ~/.ssh/authorized_keys. When you connect, the server encrypts a challenge with your public key. Only your private key can decrypt it. If the response is correct, you're authenticated — without ever sending a password over the network.

Before You Connect

Make sure these are in place:

  • VM is running (not deallocated)
  • Port 22 is open in the VM's Network Security Group
  • You have the VM's public IP address
  • You have either the private key or the password for the admin account
Azure CLI Get VM public IP 
az vm show \
  --resource-group myResourceGroup \
  --name myVM \
  --show-details \
  --query publicIps \
  --output tsv

Connect from Mac or Linux

SSH is built into macOS and Linux — open Terminal and connect directly:

Bash Basic SSH connection 
# Connect with default key (~/.ssh/id_rsa)
ssh azureuser@4.188.23.45

# Connect with a specific key file
ssh -i ~/.ssh/my-azure-key azureuser@4.188.23.45

# Connect with verbose output (useful for debugging)
ssh -v azureuser@4.188.23.45

# Connect on a non-standard port (if SSH is not on port 22)
ssh -p 2222 azureuser@4.188.23.45

Connect from Windows

Windows 10/11 includes a built-in OpenSSH client. Open PowerShell or Command Prompt and use the same ssh commands as Mac/Linux.

PowerShell Connect from Windows 
# Same command works in PowerShell
ssh azureuser@4.188.23.45

# With a specific key file
ssh -i C:\Users\YourName\.ssh\id_rsa azureuser@4.188.23.45
ℹ️
Third-Party SSH Clients for Windows If you prefer a GUI, PuTTY is the classic Windows SSH client. MobaXterm is a more feature-rich option. Windows Terminal with the built-in SSH is the modern recommended approach.

SSH Config File — Simplify Connections

Typing the full SSH command every time is tedious. The SSH config file lets you create shortcuts:

Bash ~/.ssh/config 
# Edit or create ~/.ssh/config
# On Windows: C:\Users\YourName\.ssh\config

Host azure-prod
    HostName 4.188.23.45
    User azureuser
    IdentityFile ~/.ssh/id_rsa
    Port 22

Host azure-dev
    HostName 52.140.67.89
    User azureuser
    IdentityFile ~/.ssh/azure-dev-key
    Port 22

Now instead of typing the full command, just use:

Bash Connect using SSH config alias 
ssh azure-prod
ssh azure-dev

SSH Port Forwarding

Port forwarding lets you securely access services running on the VM that aren't publicly exposed. For example, if a web app runs on port 8080 of the VM, you can access it locally:

Bash Local port forwarding 
# Forward local port 8080 to VM's port 8080
# After running this, open http://localhost:8080 in your browser
ssh -L 8080:localhost:8080 azureuser@4.188.23.45

# Forward local port 5432 to VM's PostgreSQL (port 5432)
ssh -L 5432:localhost:5432 azureuser@4.188.23.45

Copy Files with SCP

SCP (Secure Copy Protocol) uses SSH to transfer files securely:

Bash Copy files to/from the VM 
# Copy a local file TO the VM
scp myfile.txt azureuser@4.188.23.45:/home/azureuser/

# Copy a file FROM the VM to local machine
scp azureuser@4.188.23.45:/home/azureuser/logs.txt ./logs.txt

# Copy an entire directory to the VM
scp -r ./myapp/ azureuser@4.188.23.45:/home/azureuser/myapp/

# Using SSH config alias
scp myfile.txt azure-prod:/home/azureuser/

Azure Bastion — SSH Without Opening Port 22

Opening SSH (port 22) to the internet exposes your VM to constant brute-force attempts. Azure Bastion is a managed service that provides browser-based SSH access without needing a public IP or open ports on your VM.

How Azure Bastion Works

Azure Bastion acts as a jump server inside your VNet. You connect to it through the Azure Portal over HTTPS (port 443). Bastion then connects to your VM over SSH on the private network — the VM doesn't need a public IP or open port 22.

Direct SSHAzure Bastion
Requires public IP on VMYesNo
Port 22 exposed to internetYesNo
Connection methodSSH client on your machineBrowser (Azure Portal)
CostFree~₹5,000–6,000/month per Bastion host
SecurityDepends on NSG rulesHigher — no internet exposure
💡
When to Use Bastion For production VMs with sensitive workloads, Azure Bastion is the recommended approach. For dev/test or learning, direct SSH with a restricted NSG rule (your IP only) is acceptable and free.

Troubleshooting SSH Issues

Connection Refused (port 22)

  • Check the NSG — is port 22 open for your IP?
  • Is the VM running? (not deallocated)
  • Check the correct public IP — it may have changed if using a dynamic IP

Permission Denied (publickey)

  • Are you using the right private key? Try ssh -i /path/to/key
  • Check key permissions: chmod 600 ~/.ssh/id_rsa (must be 600, not 644)
  • Is the public key correctly installed in the VM's ~/.ssh/authorized_keys?
Bash Fix SSH key permissions 
# SSH key permissions must be restricted
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

Connection Timeout

  • VM may be stopped or deallocated
  • NSG may be blocking your IP — check what IP you're connecting from
  • The VM may be in a different region and the public IP may have changed

Host Key Verification Failed

  • This happens when you recreate a VM with the same IP — the host key changes
  • Remove the old key: ssh-keygen -R 4.188.23.45
  • Then connect again and accept the new host key
💡
AZ-104 Exam Tip Know that SSH uses port 22, that you need NSG rules to allow port 22, that SSH keys are more secure than passwords, and that Azure Bastion provides browser-based SSH access without exposing port 22 to the internet.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. A security team wants to allow administrators to connect to Linux VMs via SSH without exposing port 22 to the internet. What Azure service should they use?
A Azure VPN Gateway
B Azure Bastion
C Azure Load Balancer
D Azure Firewall
Q2. An administrator tries to SSH into a Linux VM and gets "Permission denied (publickey)". What is the most likely cause?
A Port 22 is blocked in the Network Security Group
B The administrator does not have permission to read a file on the VM
C The wrong private key is being used or the key has incorrect file permissions
D The VM has been deallocated
Q3. What is SSH port forwarding used for?
A To speed up SSH connections to the VM
B To securely access services on the VM through an encrypted tunnel without opening additional ports
C To change the SSH port from 22 to a custom port
D To allow password authentication instead of key authentication
Q4. What command would you use to copy a local file "app.zip" to the /home/azureuser/ directory on a remote VM?
A ssh azureuser@4.188.23.45 app.zip /home/azureuser/
B scp app.zip azureuser@4.188.23.45:/home/azureuser/
C scp azureuser@4.188.23.45:/home/azureuser/ app.zip
D curl app.zip azureuser@4.188.23.45:/home/azureuser/
Q5. An administrator connects to a new VM and sees: "The authenticity of host '4.188.23.45' can't be established." What should they do?
A Immediately disconnect — the VM has been compromised
B Disable host key checking in the SSH config
C Type "yes" to accept and save the host fingerprint — this is normal on first connection
D Contact Microsoft support before proceeding
Related Topics
Azure Virtual Machines Create a Linux VM Azure Virtual Machines Connect to VM via RDP Azure Virtual Machines Azure Bastion
← Previous Create a Linux VM
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with, endorsed by, or officially connected to Microsoft Corporation. All product names, logos, and trademarks are property of their respective owners. Content is written independently for educational purposes only.